Changeset 2942090
- Timestamp:
- 07/23/2023 12:59:44 PM (13 months ago)
- Location:
- comment-form-csrf-protection
- Files:
-
- 4 added
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
comment-form-csrf-protection/trunk/comment-form-csrf-protection.php
r2497192 r2942090 4 4 Plugin URI: https://wordpress.org/plugins/comment-form-csrf-protection 5 5 Description: WordPress's default comment forms are not protected against Cross-Site Request Forgery. This plugin fixes that. 6 Version: 1. 26 Version: 1. 7 7 Author: Ayesh Karunaratne 8 8 Author URI: https://aye.sh/open-source … … 17 17 /** 18 18 * This looks paranoid, but we use 2 tokens here. Seed, the "build_id" with a 19 * CSPRNG (PHP 7.0+). It's base64 enc doded to fit nicely within HTML attributes.19 * CSPRNG (PHP 7.0+). It's base64 encoded to fit nicely within HTML attributes. 20 20 * 21 21 * Generate a traditional wp_nonce that makes use of the user session ID 22 22 * and has a tick function to prevent replay attacks. 23 23 * 24 * Secondly, we use ou town csrf_token with a proper HMAC with sha256. wp_nonce24 * Secondly, we use ou own csrf_token with a proper HMAC with sha256. wp_nonce 25 25 * is generated with MD5, which we no longer consider secure enough. 26 26 */ … … 38 38 39 39 add_action('pre_comment_on_post', function () { 40 $status = function (): bool {40 $status = function (): bool { 41 41 if (!isset($_POST['build_id'], $_POST['wp_nonce'], $_POST['csrf_token'])) { 42 42 return FALSE; -
comment-form-csrf-protection/trunk/readme.txt
r2497192 r2942090 3 3 Tags: comments, spam, security, csrf 4 4 Requires at least: 4.2 5 Tested up to: 5.76 Stable tag: 1. 25 Tested up to: 6 Stable tag: 1. 7 7 Requires PHP: 7.1 8 8 License: GPLv2 or later … … 11 11 12 12 == Description == 13 WordPress has a n 9 yearold unfixed security vulnerability that it does not properly validate incoming comments.13 WordPress has aold unfixed security vulnerability that it does not properly validate incoming comments. 14 14 15 An attacker can trick both anonymous and logged 15 An attacker can trick both anonymous and loggedin users to post comments on a victim site without them realizing, while using their own credentials. 16 16 17 17 See this issue for more information: https://core.trac.wordpress.org/ticket/10931 … … 19 19 This is a tiny (fewer than 40 effect lines of code) module that adds a secure token to the comment form and validate it before accepting any comment, thus making your comment forms secure as they should\'ve been for all these years! 20 20 21 It provides no UI - just install it and you are all set!21 It provides no UI - just install it and you are all set! 22 22 23 1. This plugin sadds a secret cryptographically-secure token to the comment form. This is a unique value and is computationally impractical to guess it.24 2. Upon comment sub ission, the comment is rejected if the secret tokens are not present or computationally invalid.23 1. This plugin adds a secret cryptographically-secure token to the comment form. This is a unique value and is computationally impractical to guess it. 24 2. Upon comment subission, the comment is rejected if the secret tokens are not present or computationally invalid. 25 25 26 26 == Installation == … … 37 37 38 38 = 1.1 = 39 This is a minor release that contains minimal changes. 39 This is a minor release that contains minimal changes. 40 40 41 -Marks the plugin as tested up-to WordPress 5.342 -Fix in `composer.json` file that it required PHP^7.2 instead of intended ^7.143 -A micro optimization in the plugin to call the lambda function directly within the CSRF check.41 Marks the plugin as tested up-to WordPress 5.3 42 Fix in `composer.json` file that it required PHP^7.2 instead of intended ^7.1 43 A micro optimization in the plugin to call the lambda function directly within the CSRF check. 44 44 45 = 1. 2=46 Updating WordPress tested up to: 5.7 45 = 1. = 46 Minor release that contains several typo fixes and WordPress 6.3 compatibility
Note: See TracChangeset
for help on using the changeset viewer.